pet

Security checks across malware telemetry and agentic risk

Overview

This skill is a small wrapper for the pet snippet manager, and its sensitive features are expected for that purpose.

Install only if you want an agent to use the local pet CLI. Treat saved snippets as sensitive: review them before running pet exec or syncing, avoid storing tokens or passwords in snippets, and use Gist sync only when you intentionally want those snippets uploaded to GitHub.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs users to sync snippets to a GitHub Gist but does not warn that saved snippets may contain sensitive commands, tokens, hostnames, or operational details that will be transmitted to a third-party service. In a snippet manager, users often store reusable shell commands, so omission of an exfiltration/privacy warning creates a real risk of unintended disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal